From: Stefan van der Eijk (stefan_at_eijk.nu)
Date: Sun 05 May 2002 - 22:19:04 BST
Hi,
I'm trying to get the CTX patch to work with Mandrake's development
kernels. While applying the patch I noticed that the CTX patch conflicts
with an earlier applied patch (the gr security patch, see
http://www.grsecurity.org/ ). Before I continue trying to figure things
out I've got a few questions:
- If somebody wants to run the kernel without CTX functionality, will a
CTX enabled kernel have any disadvantages against a normal kernel?
- Are you planning to make configureable kernel options for the CTX
functionality?
- Does the GR security functionality conflict with CTX?
- Is there a smart way to merge GR security and CTX patches?
I've tried to merge the CTX patch, the resulting diff of the original
patch is attached to this email.
kind regards,
Stefan van der Eijk
Parts where conflicts are found:
$ less ./fs/proc/base.c.rej
***************
*** 1019,1022 ****
if (!pid)
continue;
if (--index >= 0)
continue;
--- 1025,1041 ----
if (!pid)
continue;
+ /* Even if the pid 1 is not part of the security context */
+ /* we show it anyway. This makes the security box */
+ /* more standard (and helps pstree do its job) */
+ /* So current process "knows" pid 1 exist anyway and
can't */
+ /* send any signal either */
+
+ /* A process with security context 1 can see all
processes */
+ if (pid != 1
+ && current->s_context != 1
+ && p->s_context != current->s_context) continue;
+ /* We hide the fakeinit process since we show it as
process 1 */
+ if (current->s_info != NULL
+ && current->s_info->initpid == pid) continue;
if (--index >= 0)
continue;
$ less ./fs/proc/base.c
if (!pid)
continue;
#ifdef CONFIG_GRKERNSEC_ACL
if(gr_check_hidden_task(p))
continue;
#endif
if (--index >= 0)
continue
=====================================================================================
$ less ./kernel/signal.c.rej
***************
*** 593,597 ****
read_lock(&tasklist_lock);
for_each_task(p) {
! if (p->pgrp == pgrp) {
int err = send_sig_info(sig, info, p);
if (retval)
--- 593,599 ----
read_lock(&tasklist_lock);
for_each_task(p) {
! if (p->pgrp == pgrp
! && ((long)info==1
! || p->s_context ==
current->s_context)) {
int err = send_sig_info(sig, info, p);
if (retval)
***************
*** 640,645 ****
p = find_task_by_pid(pid);
error = -ESRCH;
! if (p)
! error = send_sig_info(sig, info, p);
read_unlock(&tasklist_lock);
return error;
--- 642,663 ----
p = find_task_by_pid(pid);
error = -ESRCH;
! if (p != NULL){
! switch((unsigned long)info) {
! case 0:
! if(p->s_context == current->s_context){
! error = send_sig_info(sig, info, p);
! }
! break;
! case 1:
! error = send_sig_info(sig, info, p);
! break;
! default:
! if( info->si_code == SI_KERNEL
! || p->s_context == current->s_context){
! error = send_sig_info(sig, info, p);
! }
! break;
! }
! }
read_unlock(&tasklist_lock);
return error;
***************
*** 664,668 ****
read_lock(&tasklist_lock);
for_each_task(p) {
! if (p->pid > 1 && p != current) {
int err = send_sig_info(sig, info, p);
++count;
--- 682,686 ----
read_lock(&tasklist_lock);
for_each_task(p) {
! if (p->pid > 1 && p != current && p->s_context
== current->s_context) {
int err = send_sig_info(sig, info, p);
++count;
=====================================================================================
$ less ./kernel/sys.c.rej
***************
*** 1116,1119 ****
{
int errno;
if (!capable(CAP_SYS_ADMIN))
--- 1186,1190 ----
{
int errno;
+ char *domainname;
if (!capable(CAP_SYS_ADMIN))
=====================================================================================
$ less ./Makefile.rej
***************
*** 2,6 ****
PATCHLEVEL = 4
SUBLEVEL = 18
! EXTRAVERSION =
KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
--- 2,6 ----
PATCHLEVEL = 4
SUBLEVEL = 18
! EXTRAVERSION =ctx-10
KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
less ./Makefile
PATCHLEVEL = 4
SUBLEVEL = 19
EXTRAVERSION = -pre6
KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
=====================================================================================
--- patch-2.4.18ctx-10.orig 2002-04-15 19:28:22.000000000 +0200
+++ patch-2.4.18ctx-10 2002-05-05 23:13:38.000000000 +0200
@@ -5,13 +5,13 @@
*** 2,6 ****
PATCHLEVEL = 4
SUBLEVEL = 18
-! EXTRAVERSION =
+! EXTRAVERSION = -pre6
KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
--- 2,6 ----
PATCHLEVEL = 4
SUBLEVEL = 18
-! EXTRAVERSION =ctx-10
+! EXTRAVERSION = pre6-ctx-10
KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
diff -rc2P linux-2.4.18/arch/i386/kernel/entry.S linux-2.4.18ctx-10/arch/i386/kernel/entry.S
@@ -758,25 +758,26 @@
dentry->d_op = &pid_base_dentry_operations;
***************
-*** 1019,1022 ****
---- 1025,1041 ----
- if (!pid)
- continue;
-+ /* Even if the pid 1 is not part of the security context */
-+ /* we show it anyway. This makes the security box */
-+ /* more standard (and helps pstree do its job) */
-+ /* So current process "knows" pid 1 exist anyway and can't */
-+ /* send any signal either */
-+
-+ /* A process with security context 1 can see all processes */
-+ if (pid != 1
-+ && current->s_context != 1
-+ && p->s_context != current->s_context) continue;
-+ /* We hide the fakeinit process since we show it as process 1 */
-+ if (current->s_info != NULL
-+ && current->s_info->initpid == pid) continue;
- if (--index >= 0)
- continue;
+*** 1095,1098 ****
+--- 1095,1111 ----
+ if (!pid)
+ continue;
++ /* Even if the pid 1 is not part of the security context */
++ /* we show it anyway. This makes the security box */
++ /* more standard (and helps pstree do its job) */
++ /* So current process "knows" pid 1 exist anyway and can't */
++ /* send any signal either */
++
++ /* A process with security context 1 can see all processes */
++ if (pid != 1
++ && current->s_context != 1
++ && p->s_context != current->s_context) continue;
++ /* We hide the fakeinit process since we show it as process 1 */
++ if (current->s_info != NULL
++ && current->s_info->initpid == pid) continue;
+ #ifdef CONFIG_GRKERNSEC_ACL
+ if(gr_check_hidden_task(p))
+ continue;
diff -rc2P linux-2.4.18/fs/udf/inode.c linux-2.4.18ctx-10/fs/udf/inode.c
*** linux-2.4.18/fs/udf/inode.c Tue Feb 26 22:22:08 2002
--- linux-2.4.18ctx-10/fs/udf/inode.c Tue Feb 26 22:31:23 2002
@@ -1351,14 +1352,13 @@
+ }
read_unlock(&tasklist_lock);
spin_lock_irq(&runqueue_lock);
-diff -rc2P linux-2.4.18/kernel/signal.c linux-2.4.18ctx-10/kernel/signal.c
*** linux-2.4.18/kernel/signal.c Fri Nov 23 15:07:52 2001
--- linux-2.4.18ctx-10/kernel/signal.c Tue Feb 26 22:31:23 2002
***************
*** 593,597 ****
read_lock(&tasklist_lock);
for_each_task(p) {
-! if (p->pgrp == pgrp) {
+! if (p->pgrp == pgrp && thread_group_leader(p)) {
int err = send_sig_info(sig, info, p);
if (retval)
--- 593,599 ----
@@ -1370,17 +1370,31 @@
int err = send_sig_info(sig, info, p);
if (retval)
***************
-*** 640,645 ****
+*** 712,717 ****
p = find_task_by_pid(pid);
error = -ESRCH;
-! if (p)
-! error = send_sig_info(sig, info, p);
- read_unlock(&tasklist_lock);
- return error;
---- 642,663 ----
+! if (p) {
+ #ifdef CONFIG_GRKERNSEC_ACL
+ if( !(gr_check_protected_task(p)) || current->pid == 1)
+ #endif
+--- 712,718 ----
p = find_task_by_pid(pid);
error = -ESRCH;
-! if (p != NULL){
+! if (p != NULL)
+ #ifdef CONFIG_GRKERNSEC_ACL
++ {
+ if( !(gr_check_protected_task(p)) || current->pid == 1)
+ #endif
+***************
+*** 723,727 ****
+ p = tg;
+ }
+! error = send_sig_info(sig, info, p);
+ }
+ }
+--- 724,742 ----
+ p = tg;
+ }
! switch((unsigned long)info) {
! case 0:
! if(p->s_context == current->s_context){
@@ -1396,21 +1410,19 @@
! error = send_sig_info(sig, info, p);
! }
! break;
-! }
-! }
- read_unlock(&tasklist_lock);
- return error;
+ }
+ }
***************
-*** 664,668 ****
- read_lock(&tasklist_lock);
- for_each_task(p) {
-! if (p->pid > 1 && p != current) {
+*** 766,770 ****
+ if(!(gr_check_protected_task(p) || current->pid == 1))
+ #endif
+! if (p->pid > 1 && p != current && thread_group_leader(p)) {
int err = send_sig_info(sig, info, p);
++count;
---- 682,686 ----
- read_lock(&tasklist_lock);
- for_each_task(p) {
-! if (p->pid > 1 && p != current && p->s_context == current->s_context) {
+--- 766,770 ----
+ if(!(gr_check_protected_task(p) || current->pid == 1))
+ #endif
+! if (p->pid > 1 && p != current && thread_group_leader(p) && p->s_context == current->s_context) {
int err = send_sig_info(sig, info, p);
++count;
***************
@@ -1727,8 +1739,8 @@
errno = -EFAULT;
up_read(&uts_sem);
***************
-*** 1066,1069 ****
---- 1136,1140 ----
+*** 1268,1271 ****
+--- 1268,1272 ----
{
int errno;
+ char *domainname;